With new server companies like digital ocean and linode spawning your own VPS has never been that easy (and dirt cheap). We're going to explore setting up your own server. Let's start by setting up a fresh server and getting the IP, root user and password.

Let's start with a Ubuntu 12.04 LTS.
LTS stands for "Long Term Support" and guarantees us 5 years of updates (read more about the Ubuntu core team release cycles here)

We're going to explore 3 topics:

1. SSH
2. UFW (Uncomplicated Firewall)
3. Fail2Ban

1.SSH

SSH allows you to connect to your server using an IP, username and password. We're going to disable logging in with a password and instead rely on a ssh key to login. This allows us to be more secure and decreases the chance of a succesfull rainbow attack Let's start by making a private/public ssh keypair.

Open your favorite terminal app (we use iTerm2)

We're going to create a local key pair with this command:

ssh-keygen -t rsa -C "youremail@weworkweplay.com"

It will prompt you for Enter file in which to save the key you can enter:

~/.ssh/weworkweplay_rsa

Then it will prompt for Enter passphrase so we just enter a password like:

weworkwepassword

Enter your password again and we're all set, now get the IP of your new server and login using this command: (where 111.222.333 is the IP of your server)

ssh root@111.222.333

Let's first update and upgrade our new ubuntu with these commands:

apt-get update
apt-get upgrade

And now we're opening the authorized_keys file and adding our previously generated key:

sudo nano ~/.ssh/authorized_keys

Open your previously local generated rsa key on your computer and copy the content. Paste it in your console and control+x and "Y" your way out.

Now we just need to disable password based logins for ssh. Open your ssh config file:

sudo nano /etc/ssh/sshd_config

Set the following values to "No"

ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no

Control+X and 'Y' to save the settings. Next we reload our SSH with this command:

sudo /etc/init.d/ssh reload

When you exit and try to reconnect you won't need to type your password again; the server connects using your local ssh-key and knows it's you!

Extra

As an extra layer of security you can change your SSH port to a different one so random flood attacks on IP ranges have less chance of hitting you. Open the SSH config file:

sudo nano /etc/ssh/sshd_config

and adjust the port setting:

Port 9182

reload the settings:

sudo /etc/init.d/ssh reload

When you exit the SSH session you have to specify the port when you want to login again using the -p flag at the end of your command:

ssh root@123.456.78.90 -p 9182

2. UFW

UFW stands for "The Uncomplicated Firewall" and basicly acts like a simplicity layer on top of your IPtables firewall. Using a set of simple commands you can construct a firewall that keeps you safe for most attacks. Warning! Watch out with firewall rules that deny all access because you'll get shut out yourself (ssh blocked => bricked server)

Let's start by installing UFW and allowing our SSH connection so we don't get locked out.

sudo apt-get install ufw
sudo ufw allow ssh/tcp
sudo ufw loggin on
sudo ufw enable
sudo ufw status

The last command will give you something like this:

Firewall loaded

To                         Action  From
--                         ------  ----
22:tcp                     ALLOW   Anywhere

We're now firewalled with the exception of our port 22. You can easly add more ports or apps by using this syntax:

sudo ufw allow [APP]
sudo ufw allow [PORT]

To enter more specific rules, for example allow samba access to all local IP's in the 192.168.0.x range you simply enter:

ufw allow from 192.168.0.0/24 to any app Samba

To enable http, https and ftp support:

ufw allow 80/tcp
ufw allow 443/tcp
ufw allow 21/tcp

Email SMTP and IMAP

ufw allow 993/tcp
ufw allow 587/tcp

3. Fail2BAN

Fail2Ban automatically scans trough your log files and filters offending and suspicious activity. It then sets up a slowing algorithm that enforces increasing timeouts and eventually adds an attackers IP to your firewall blocklist. Install fail2ban using apt:

sudo apt-get install fail2ban

Copy the default settings to a .local file and start editing from that.

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local

The top sections covers the basics. Each section provides you with more options. We want to change the ignoreip and Destemail with our own IP address or a safe IP so we don't get locked out from our server and a emailaddress so we can monitor what's going on.

The [ACTION] section defines how bad actions should be handled, the defaults (iptables) are fine here.

Note that fail2ban doesn't writes it's exceptions to the UFW rulesset. Checking the rules of fail2ban can be achived with this command:

service fail2ban status

Finally restart our fail2ban

sudo service fail2ban restart